Smartphones, Texts, and HIPAA: Strategies to Protect Patient Privacy

Richard F. Cahill, JD, Vice President and Associate General Counsel, The Doctors Company, Part of TDC Group

Practitioners have embraced smartphone technology, with the vast majority using phones to communicate via text messages and access patient information. The attraction is obvious: Smartphone applications place libraries full of information at users’ fingertips that are literally a click away. Texting via secure messaging systems is instantaneous, convenient, safe, and direct. It reduces the time waiting for colleagues to call back and it can expedite patient care by facilitating the exchange of critical lab results and other necessary patient data.

Smartphone technology is not just for peer-to-peer use: To manage their own healthcare needs, empowered patients are requesting more access to their practitioners and care records. Patients are also investing in mobile health technologies that provide continuous vital sign monitoring and generate health data that can be sent to their practitioners. (For more information on this topic, see our article “Remote Patient Monitoring: Considerations for Telehealth Care.”) Technology is becoming essential to the patient experience and increasingly important to younger, technology-savvy patients.

Safeguard Against HIPAA Violations

The very convenience that makes using smartphone technologies so inviting may also create privacy and security violations if messages containing protected health information (PHI) are not properly safeguarded. It is important that practitioners and their teams understand that communications between patients or other caregivers have the potential to lead to violations of federal and state privacy laws.

Practitioners and team members must not communicate with patients using their personal text messaging systems. Before communicating with patients through electronic technologies, a practice must have in place a secure HIPAA-compliant messaging platform that interfaces with the EHR and strong administrative procedures. HIPAA compliance is paramount to the practitioner’s ability to communicate safely and send appointment reminders, alerts, and other follow-up reminders.

Text messages among colleagues should also be encrypted and exchanged in a closed, secure network designed specifically to protect PHI—not on personal messaging systems. A secure messaging platform allows for the encrypted flow of information and storage in the patient record. Many EHR products now interface with secure messaging systems or the secure systems are integrated into the EHR product.

Implementing a secure messaging platform must include establishing electronic communication policies regarding the proper and improper uses of texting—which means specifying what types of information may or may not be texted. Patients must also be educated on how the practice uses electronic communications and/or texting and be given the option of consenting or opting out of those communications. It is useful to post those policies on the practice website.

In addition to using a secure messaging platform, other minimal protections include automatic screen locking settings and remote wiping programs. An automatic screen locking setting secures a device when it is inactive, requiring a password to unlock it. Timing can be changed to shorten the interval before locking the screen. Remote wiping programs can erase data, texts, and email. Both safeguards provide additional protection in the event a device is lost or stolen. The government website HealthIT.gov provides tips and information for individuals and organizations related to securing mobile devices.

Compliance is a challenge when the technology options and HIPAA security rules are not known or are misunderstood. Some clinicians are still using unsecured personal messaging systems and consumer apps to text images and send files containing PHI. With penalties up to $50,000 per HIPAA violation, safeguarding communications should be a top priority.

Ensure Accuracy to Avoid Liability Concerns

Shorthand and abbreviations are commonly used in text messaging. The informal nature of text messages can increase the chances of miscommunication. It is important to ensure accuracy and use standardized and approved abbreviations, particularly when patient information is exchanged over text.

Texting cannot substitute for a dialogue with a colleague concerning a patient. If the matter is critical or you have any doubt about the communication, it is best to speak directly with your colleague.

Discoverability

Just as phone records are discoverable during litigation, so are text messages on personal and work-designated smartphones. When changes occur in the patient’s condition or a serious event takes place, limit texting to messages over a secure messaging platform, and ensure that message content is appropriate for the patient record. Do not use personal messaging systems for any messages containing PHI or that are not compliant with the HIPAA Security Rule. For example, if you don’t have access to a secure messaging system and need to use your personal phone, text a generic message such as “please call urgently.” 

Communication about patient care information should be made in person or by person-to-person phone call and documented in the patient record. If texting is the only way to communicate, keep texts brief, professional, and to the point. If you would not document the communication in the patient record, do not say it in a text message. Avoid expressing your opinion in a text about the care others have provided, unexpected events, or possible errors. Instead, communicate your understanding of events using an appropriate format, such as in an incident report or during a postevent investigation.

Text messages from medical or dental device representatives and other vendors who are present during patient care are also discoverable. Text messages should not contain discussions, opinions, or comments that would not be included in the patient record.

Take Steps to Protect Your Practice

Consider the following strategies for safeguarding your practice:

  • Conduct a risk assessment to evaluate the risks of texting—including message content and security measures that have been taken.
  • Use a secure messaging platform to send communications, not a personal or unsecure messaging system.
  • Enable encryption on your mobile device.
  • Set screens to lock automatically if inactive and use the remote wiping function to prevent lost devices from becoming data breaches.
  • Ensure that your system has a secure method for verifying practitioner authorization.
  • Have a texting policy that outlines the acceptable types of text communications and specifies situations in which a phone call is warranted. Specify any applications that would be used in conjunction with texting.
  • Know your recipient and double check the “To” field to prevent sending confidential information to the wrong person.
  • Minimize identifying patient details in texts.
  • Assume that your text can be viewed by anyone in close proximity to you, and always maintain physical control of your device.
  • Ensure that the metadata retention policy of the device is consistent with the patient record retention policy and/or that it is in accordance with a legal preservation order.
  • Report to the practice’s privacy officer and your malpractice carrier any incidents of lost devices or data breaches.

For additional guidance, contact the Department of Patient Safety and Risk Management at (800) 421-2368 or by email.


The guidelines suggested here are not rules, do not constitute legal advice, and do not ensure a successful outcome. The ultimate decision regarding the appropriateness of any treatment must be made by each healthcare provider considering the circumstances of the individual situation and in accordance with the laws of the jurisdiction in which the care is rendered.

J01803 12/24

Stay in the Know

Sign up for The Doctor’s Practice.

Our e-newsletter features timely articles, videos, and guides on a range of patient safety topics.

Subscribe